On Mon, 30 Nov 2015, Maupertuis Philippe wrote:
What I tried was :
if ($programname startswith 'fw1-loggrabber') & (%msg:F,124,6:3,18% == "xx.xx.xx.xx") then
action(type="omfile" ioBufferSize="8k" asyncWriting="
on" flushOnTXEnd="off" dynaFile="DYNfw1")
the property replacer only works in formats, you cna't use it in if statements.
with recent versions, you can do
set $.var = exec_template("templatename");
to use the property replacer to define a variable.
David Lang
Resulting in this error :
rsyslogd -N3 -f /etc/rsyslog.conf.pms
rsyslogd: version 7.4.10, config validation run (level 3), master config
/etc/rsyslog.conf.pms
rsyslogd: error during parsing file /etc/rsyslog.conf.pms, on or before line
92: syntax error on token '%' [try http://www.rsyslog.com/e/2207 ]
rsyslogd: CONFIG ERROR: could not interpret master config file
'/etc/rsyslog.conf.pms'. [try http://www.rsyslog.com/e/2207 ]
rsyslogd: run failed with error -2207 (see rsyslog.h or try
http://www.rsyslog.com/e/2207 to learn what that number means)
In case the whole config file would be needed :
### Module loading
module( load="builtin:omfile"
template="RSYSLOG_TraditionalFileFormat"
)
#module(load="imtcp") # provides TCP support
$ModLoad imtcp
$InputTCPMaxSessions 2000
module(load="imudp") # provides UDP support
# Provides periodic output of rsyslog internal counters
module(load="impstats.so" interval="60")
module(load="imuxsock") # provides support for local system logging (e.g. via
logger command)
module(load="imklog") # provides kernel logging support (previously done by
rklogd)
module(load="immark") # provides --MARK-- message capability
$FileCreateMode 0640
$DirCreateMode 0755
$ActionSendTCPRebindInterval 5000
$RulesetCreateMainQueue on #Permer de divisier les queue
$MaxOpenFiles 10240 #Note that this includes open tcp sockets
$WorkDirectory /var/spool/rsyslog
#Main Queue directives
$MainMsgQueueFileName mainq
$MainMsgQueueType LinkedList # run asynchronously
$MainMsgQueueSize 2000000
$MainMsgQueueDiscardMark 1800000
$MainMsgQueueLowWaterMark 200000
$MainMsgQueueHighWaterMark 1600000
$MainMsgQueueDequeueBatchSize 1024
$MainMsgQueueMaxDiskSpace 4g #
$MainMsgQueueSaveOnShutdown on # save messages to disk on shutdown
$MainMsgQueueDiscardSeverity 7
##Debug mode
#
input(type="imudp" port="514" ruleset="remote_RS") # Listen on 514 for
UDP and send to the appropriate ruleset
input(type="imtcp" port="5140" ruleset="remote_RS") # Listen on 5140
for TCP and send to the appropriate ruleset
$template
DYNfile,"/dailylog/HOSTS/%HOSTNAME:R,ERE,1,FIELD:^([a-zA-Z0-9-]+)(\.[a-zA-Z0-9-]+)*$--end%/%$YEAR%-%$MONTH%-%$DAY%/%syslogfacility-text%-%$HOUR%"
# Remove the domain part from hostname
$template
DYNaudit,"/dailylog/HOSTS/%HOSTNAME:R,ERE,1,FIELD:^([a-zA-Z0-9-]+)(\.[a-zA-Z0-9-]+)*$--end%/%$YEAR%-%$MONTH%-%$DAY%/audit-%$HOUR%"
# Remove the domain part from hostname
$template
DYNimpstat,"/dailylog/HOSTS/%HOSTNAME:R,ERE,1,FIELD:^([a-zA-Z0-9-]+)(\.[a-zA-Z0-9-]+)*$--end%/%$YEAR%-%$MONTH%-%$DAY%/impstat"
# Remove the domain part from hostname
$template
DYNfw,"/dailylog/HOSTS/fwi-pmpp-vdm00/%$YEAR%-%$MONTH%-%$DAY%/fw1-loggrabber-%$HOUR%"
# Remove the domain part from hostname
$template
DYNfw1,"/dailylog/HOSTS/fwi-pmpp-vdm00/%$YEAR%-%$MONTH%-%$DAY%/fw1-%$HOUR%"
$template
DYNfw2,"/dailylog/HOSTS/fwi-pmpp-vdm00/%$YEAR%-%$MONTH%-%$DAY%/fw2-%$HOUR%"
$template forcedhost,"%timegenerated% %msg:F,124,6:3,18%
%syslogtag%%msg:::drop-last-lf%\n"
$template forcedhost1,"%timegenerated% fw1 %syslogtag%%msg:::drop-last-lf%\n"
$template forcedhost2,"%timegenerated% fw2 %syslogtag%%msg:::drop-last-lf%\n"
## Remote logs to LOCAL
# Remote logs to
ruleset(name="remote_RS"
queue.type="LinkedList"
queue.filename="mainqrs"
queue.size="500000"
queue.maxdiskspace="5g"
queue.highwatermark="450000"
queue.lowwatermark="5000"
queue.discardseverity="7"
queue.saveonshutdown="on"
) {
#shouldn't be *.* but host except Seclin
if $programname startswith 'fw1-loggrabber' then action(type="omfwd" target="xx.xx.xx.xx"
port="5540" protocol="tcp" template="forcedhost"
queue.type="LinkedList"
queue.filename="splunkfw"
queue.size="500000"
queue.maxdiskspace="1g"
queue.highwatermark="450000"
queue.lowwatermark="5000"
queue.discardseverity="7"
queue.saveonshutdown="on"
)
& action(type="omfile" ioBufferSize="8k" asyncWriting="on" flushOnTXEnd="off"
dynaFile="DYNfw")
& stop
*.* action(type="omfwd" target="xx.xx.xx.xx" port="5540" protocol="tcp"
queue.type="LinkedList"
queue.filename="splunk"
queue.size="500000"
queue.maxdiskspace="3g"
queue.highwatermark="450000"
queue.lowwatermark="5000"
queue.discardseverity="7"
queue.saveonshutdown="on"
)
if $programname startswith 'audispd' then action(type="omfile" dynaFileCacheSize="2000" ioBufferSize="64k"
asyncWriting="on" flushOnTXEnd="off" dynaFile="DYNaudit")
& stop
if ($programname startswith 'fw1-loggrabber') & (%msg:F,124,6:3,18% == "xx.xx.xx.xx") then action(type="omfile"
ioBufferSize="8k" asyncWriting="on" flushOnTXEnd="off" dynaFile="DYNfw1")
& stop
if $programname startswith 'fw1-loggrabber' then action(type="omfile" ioBufferSize="8k"
asyncWriting="on" flushOnTXEnd="off" dynaFile="DYNfw")
& stop
if $programname startswith 'rsyslogd-pstats' then action(type="omfile" dynaFileCacheSize="2000"
ioBufferSize="4k" asyncWriting="on" flushOnTXEnd="off" dynaFile="DYNimpstat")
& stop
*.* action(type="omfile" dynaFileCacheSize="10000" ioBufferSize="32k" asyncWriting="on"
flushOnTXEnd="off" dynaFile="DYNfile")
}
###
#
# Log anything (except mail and cron) of level info or higher to centralog
# including auditd message which log on daemon.info facility
#
#if $programname startswith 'fw1-loggrabber' then action(type="omfile" file="/var/log/pms1"
name="fw1" template="forcedhost" )
#& stop
if $programname startswith 'rsyslogd-pstats' then action(type="omfile"
file="/var/log/syslog-stats.log" name="impstat")
*.* action(type="omfwd" target="localhost" port="5140" protocol="tcp"
name="localfwd"
queue.type="LinkedList"
queue.filename="forwarding"
queue.size="100000"
queue.maxdiskspace="5g"
queue.highwatermark="80000"
queue.lowwatermark="2000"
queue.discardseverity="7"
queue.saveonshutdown="on"
)
###
#
# Auditd is configure to send his messages to syslog through audispd syslog
plugin.
# By default, the messages are sent into /var/log/audit/audit.log
# and on the daemon facility (hardcoded in source file)
#
# So in order to avoid duplicate messages into /var/log/messages;
# we use rsyslog property-based filter,
# see http://www.rsyslog.com/doc-rsyslog_conf_filter.html
#
# Send the auditd messages to centralog
# then discard them with '~' to avoid duplicate messages in /var/log/messages
#
:programname, contains, "audispd" stop
###
#
# Log anything (except mail,cron and auth) of level info or higher.
#
*.info;mail.none;authpriv.none;auth.none;cron.none /var/log/messages
# The authpriv file has restricted access.
auth.*;authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
-----Message d'origine-----
De : [email protected]
[mailto:[email protected]] De la part de David Lang
Envoyé : vendredi 27 novembre 2015 12:09
À : rsyslog-users
Objet : Re: [rsyslog] Help with property replacer
On Fri, 27 Nov 2015, Maupertuis Philippe wrote:
Hi,
I am facing a situation where logs are pulled from a remote server through a
specific program.
The syslog message comes from the host where the program runs while the ip of
the real server is inside the message.
I have been able to reformat the message like that :
$template forcedhost,"%timegenerated% %msg:F,124,6:3,18%
%syslogtag%%msg:::drop-last-lf%\n"
With this I get the IP address of the real host but I would like to go one step
further and set the name of the host instead of its ip address.
I have only two hosts for which I retrieve data so I can just test the IP
address to set the host.
I tried to use the property replacer in a test but I got syntax error.
Is there any way to do that with rsyslog7.4 with which I am stuck for
legal reasons
yes, you can do it with 7.4, but we can't tell you what the error is without
seeing the config you are using. the error message you get would be helpful as
well.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Ce message et les pièces jointes sont confidentiels et réservés à l'usage
exclusif de ses destinataires. Il peut également être protégé par le secret
professionnel. Si vous recevez ce message par erreur, merci d'en avertir
immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant
être assurée sur Internet, la responsabilité de Worldline ne pourra être
recherchée quant au contenu de ce message. Bien que les meilleurs efforts
soient faits pour maintenir cette transmission exempte de tout virus,
l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne
saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for
the addressee; it may also be privileged. If you receive this e-mail in error,
please notify the sender immediately and destroy it. As its integrity cannot be
secured on the Internet, the Worldline liability cannot be triggered for the
message content. Although the sender endeavours to maintain a computer
virus-free network, the sender does not warrant that this transmission is
virus-free and will not be liable for any damages resulting from any virus
transmitted.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
